This fix did not resolve the issue. That is, more XSSAuditor tests are
failing on the Qt bot. So, we're going ultimately going to rollout the
change committed in change set 53044 <​http://trac.webkit.org/changeset/53044>,
but we need to first rollout the attempted fix committed in change
set 53045.

(WebCore::disableLigatures): Added an ATSUStyle parameter.
(WebCore::initializeATSUStyle): Look up the ATSUStyle in the map and
initialize if necessary. Return the ATSUStyle.
(WebCore::ComplexTextController::collectComplexTextRunsForCharactersATSUI):
Use the ATSUStyle returned from initializeATSUStyle().

platform/graphics/mac/SimpleFontDataMac.mm:

(WebCore::SimpleFontData::platformInit):
(WebCore::SimpleFontData::platformDestroy): Destroy the ATSUStyles in the
map.
(WebCore::SimpleFontData::getCFStringAttributes): Look up the attributes
dictionary in the map and initialize if necessary.

DOMData is the base class for ChildThreadDOMData and MainThreadDOMData classes
but it does not have a virtual destructor. While this isn't currently causing
any leaks, since there are no instances of ChildThreadDOMData or
MainThreadDOMData that are manipulated via a DOMData pointer, the ARM GCC
compiler generates the following compilation error:

Clean up some logic around "directly composited" content: some images, video, and WebGL.

We previously set the GraphicsLayer background color to the CSS background color
in some cases where the box has no other decorations. However, the content
layer's bounds do not correspond with the background box in many cases,
and we could end up both painting the background color, and setting it on the layer.

Simplify this logic to never use layer background colors, and thus skip allocating
backing store only when the element has no visible box decorations.

rendering/RenderLayerBacking.cpp:
(WebCore::is3DCanvas): Utility to determine if a RenderObject is a canvas with WebGL
(WebCore::RenderLayerBacking::RenderLayerBacking): Remove m_hasDirectlyCompositedContent.
(WebCore::RenderLayerBacking::updateGraphicsLayerConfiguration): canUseDirectCompositing()
is renamed to isDirectlyCompositedImage() and only applies to images now.
No longer set layer background color.
(WebCore::RenderLayerBacking::updateGraphicsLayerGeometry): Just use hasPaintedContent()
as the argument to setDrawsContent().
(WebCore::hasBoxDecorationsOrBackground): Renamed.
(WebCore::RenderLayerBacking::hasNonCompositingContent):
(WebCore::hasBoxDecorationsOrBackgroundImage): Renamed from hasBoxDecorations().
(WebCore::RenderLayerBacking::isSimpleContainerCompositingLayer): Moved test for
hasOverflowControls() into hasNonCompositingContent() and removed the FIXME comment.
(WebCore::RenderLayerBacking::containsPaintedContent): New method that decides
if the layer (and its non-composited children) has any content that must be painted into backing store.
(WebCore::RenderLayerBacking::isDirectlyCompositedImage): Renamed from canUseDirectCompositing()
and reduced to only apply to images.
(WebCore::RenderLayerBacking::rendererContentChanged): 3D canvas no longer falls under the
canUseDirectCompositing() scope.

To be able to run multiple instances of run-webkit-tests besides each other on the same machine we need to minimize
the time when Apache and WebSocketServer is locked by tests.
Because closeHTTPD() and closeWebSocketServer() is only called at the end of the testing,
we need to run http and websocket tests after all other tests.
If one however explicitly specifies the tests to run in the argument list of run-webkit-tests
we need to preserve the given order.

Factory related code removed from QtAbstractWebPopup. Popups are now created
by ChromeClientQt.
Popup content information struct added to class QtAbstractWebPopup.
PopupMenuClient is now hidden from higher layers.
QtAbstractWebPopup now receives content information and font as parameters
of method populate.
QtFallbackWebPopup moved to WebKit/qt/WebCoreSupport.

Fixed media test failures caused by ​http://trac.webkit.org/changeset/52998.
The media controller on Windows now has a full-screen button, which changes
the layout and therefore the test results. I regenerated them for
Windows.

Switch WebKit to build a static library on all platforms. Add a
webkit_unit_tests executable target that runs the unit tests and also
ensures that we don't have any missing symbols (a function that WebKit
as a shared library used to serve).

Changes chromium_src_dir to ../../WebKit/chromium to match how
WebCore.gyp defines that variable.

This is a speculative fix. I do not have a Snow Leopard machine to test on
and I've not seen mention of someone being able to reproduce this locally.

Prevent watchdog timer from firing after a test completes but before
the next one starts, causing the error to appear in the next test.

DumpRenderTree/mac/DumpRenderTree.mm:
(dump): Stop the watchdog before printing #EOF for the test content.
We only need to care about the JavaScript of the test running too long
or some hang in WebCore. Any other failures will be covered by the calling
script's own watchdog timer.

[Win] Support padding-right on selects when webkit-appearance is off. Added a test
case for narrow selects with -webkit-appearance: none, and padding left and right to
show that both types of padding are honored.

manual-tests/select-webkit-appearance-off-narrow-select.html: Added.

platform/win/PopupMenuWin.cpp:

(WebCore::PopupMenu::calculatePositionAndSize): Use clientPaddingRight instead of a hardcoded constant.

rendering/RenderMenuList.cpp:

(WebCore::RenderMenuList::clientPaddingRight): If webkit-appearance is off, use padding-right instead of
the hardcoded constant.

Windows buid fix - disable warning 4251 (class needs to have dll-interface to be used by
clients of another class). WebCore doesn't use all methods of JSString, so
we don't export all classes clients could theoretically access via JSString.

In r49365, some code was moved from JSString.cpp to JSString.h, and as a result, WebCore
got a way to directly instantiate JSStrings over DLL borders. Since vftable for JSString was
not exported, objects created from WebCore got a different vptr, and JavaScriptCore
optimizations that relied on vptr of all JSString objects being equal failed.

config.h: Added a JS_EXPORTCLASS macro for exporting classes. It's currently the same as
JS_EXPORTDATA, but it clearly needed a new name.

runtime/JSGlobalData.h:
Store vptrs just once, no need to repeatedly pick and copy them. This makes it possible to
assert vptr correctness in object destructors (which don't have access to JSGlobalData,
and even Heap::heap(this) will fail for fake objects created from storeVPtrs()).

runtime/JSArray.cpp: (JSC::JSArray::~JSArray): Assert that vptr is what we expect it to be.
It's important to assert in destructor, because MSVC changes the vptr after constructor
is invoked.

runtime/JSByteArray.cpp: (JSC::JSByteArray::~JSByteArray): Ditto.

runtime/JSByteArray.h: Ditto.

runtime/JSFunction.h: Ditto.

runtime/JSFunction.cpp: (JSC::JSFunction::~JSFunction): Ditto.

runtime/JSCell.h: (JSC::JSCell::setVPtr): Added a method to substitute vptr for another
one.

runtime/JSString.h: Export JSString class together with its vftable, and tell other
libraries tp import it. This is needed on platforms that have a separate JavaScriptCore
dynamic library - and on Mac, we already did the export via JavaScriptCore.exp.
(JSC::JSString::~JSString): Assert tha vptr is what we expect it to be.
(JSC::fixupVPtr): Store a previously saved primary vftable pointer (do nothing if building
JavaScriptCore itself).
(JSC::jsSingleCharacterString): Call fixupVPtr in case this is call across DLL boundary.
(JSC::jsSingleCharacterSubstring): Ditto.
(JSC::jsNontrivialString): Ditto.
(JSC::jsString): Ditto.
(JSC::jsSubstring): Ditto.
(JSC::jsOwnedString): Ditto.

JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export the new static
JSGlobalData members that are used in WebCore via inline functions.

Account for scale and current context position (as well as page
position) in the device context world transform passed to
plugins. This is especially important for print surface DPI.​http://bugs.webkit.org/show_bug.cgi?id=32909.

Reviewed by Jon Honeycutt.

plugins/win/PluginViewWin.cpp:

(WebCore::PluginView::paintWindowedPluginIntoContext): Revise

world context handling to include scaling and translation
already set for the CTM.

WebView/WebView.mm:
(-[WebView _preferencesChangedNotification:]): We only want to
handle file: URLs for the user stylesheet now, so special-case the
DashboardClient's funky user stylesheet URL by mapping it to the
equivalent file URL.

bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::JSDOMWindowBase): Disabled specific function
tracking for the window object, since there's no way to do direct
method calls on the window object; they all go through the window shell.

html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::createRenderer): Make a RenderEmbeddedObject for the plugin-proxy case.
(WebCore::HTMLMediaElement::finishParsingChildren): Use toRenderEmbeddedObject() in the plugin-proxy code.

html/HTMLObjectElement.cpp:
(WebCore::HTMLObjectElement::createRenderer): Make a RenderEmbeddedObject
(WebCore::HTMLObjectElement::updateWidget): Use toRenderEmbeddedObject()

page/FrameView.h:

page/FrameView.cpp:
(WebCore::FrameView::addWidgetToUpdate):
(WebCore::FrameView::removeWidgetToUpdate):
(WebCore::FrameView::updateWidgets):
Objects in the m_widgetUpdateSet are only ever RenderEmbeddedObjects.

rendering/RenderEmbeddedObject.cpp: Added.

rendering/RenderEmbeddedObject.h: Added.
Most of the code moved from RenderPartObject.

Touch event tests changed to match the API and semantics of iPhone and
Android. Each new touch point press dispatches a touchstart event with
the pressed touch point(s) in the changedTouches list, and a release
dispatches a touchend event with the released touch point(s) in
changedTouches. Moved points dispatch a touchmove event, with the moved
points in changedTouches. Old behaviour emitted only one touchstart when
the first point was pressed and one touchend when the last point was
released, and any events in between were touchmoves. New presses or
releases could only be detected by comparing the lists touches and
changedTouches.

Touch events changed to match the API and semantics of iPhone and
Android. Each new touch point press dispatches a touchstart event with
the pressed touch point(s) in the changedTouches list, and a release
dispatches a touchend event with the released touch point(s) in
changedTouches. Moved points dispatch a touchmove event, with the moved
points in changedTouches. Old behaviour emitted only one touchstart when
the first point was pressed and one touchend when the last point was
released, and any events in between were touchmoves. New presses or
releases could only be detected by comparing the lists touches and
changedTouches.

CodeGeneratorV8.pm doesn't handle inheritance very well and it
tried to refer v8WebKitCSSTransformValueIndexedPropertyGetter(),
which does not exist. Because WebKitCSSTransformValue inherits
CSSValueList and CSSValueList already has HadIndexGetter, we don't
need to do anything for WebKitCSSTransformValue about HasIndexGetter.

html/HTMLElement.cpp:
(WebCore::Empty1IntHashTraits): A HashTraits to return 1 as the empty value.
(WebCore::initializeTagPriorityMap): Initialization of a static HashMap.
(WebCore::HTMLElement::tagPriority): Use the static HashMap created by initializeTagPriorityMap().

Add a flag to the ResourceResponse for tracking if a request was
fetched via SPDY. This is plumbed through so that we can inform
a webpage via JavaScript if it was fecthed via the experimental
SPDY protocol.

Add a flag to the ResourceResponse for tracking if a request was
fetched via SPDY. This is plumbed through so that we can inform
a webpage via JavaScript if it was fecthed via the experimental
SPDY protocol.

Introduce ThreadableWebSocketChannel interface and add
WorkerThreadableWebSocketChannel for Worker.
WorkerThreadableWebSocketChannel uses WebSocketChannel in the
main thread, which is managed by Peer and communicated via Bridge.

(WebCore::RenderBlock::findNextLineBreak): When kerning is enabled, include
the trailing space when measuring a word, then subtract its width. This
accounts for kerning between the last glyph of the word and the following space.

bindings/v8/V8DOMWindowShell.cpp:
(WebCore::getTargetFrame): Moved from V8CustomBinding.cpp.
(WebCore::reportUnsafeJavaScriptAccess):
(WebCore::V8DOMWindowShell::createNewContext):
(WebCore::V8DOMWindowShell::setLocation): Moved from V8CustomBinding.cpp.

page/FrameView.cpp: Notify RenderSVGRoot children about viewport size changes, just like it's handled for <body> in HTML.
(WebCore::FrameView::layout): This is important, as marker bounding boxes may depend on the current viewport size through relative coordinates used in <svg>.

rendering/RenderPath.cpp:
(WebCore::RenderPath::markerBoundingBox): Calculates and caches marker boundaries in the layout() phase.
(WebCore::RenderPath::repaintRectInLocalCoordinates): Use the cached marker bounding box during paint() time.
(WebCore::RenderPath::setPath): Clear marker boundaries upon path changes.
(WebCore::RenderPath::paint): Use SVGMarkerLayoutInfo::drawMarkers() instead of the local drawMarkersIfNeeded() function, which is gone now.
(WebCore::RenderPath::calculateMarkerBoundsIfNeeded): Utilized by markerBoundingBox() to request SVGResourceMarker objects and calculate their boundaries.

svg/graphics/SVGResource.cpp: Instead of maintaining a global hashmap between SVGStyledElements and an array of possible SVGResources, use a HashSet of SVGResources

and directly scan the already existing list of clients for a certain SVGResource. This wrong approach has been introduced over two years
ago, making the assumption that there's only one resource type per element. Though markers can provide three resources of the same type
per element (all SVGResourceMarker objects, but in different rules: start/mid/end marker). That information is only available while painting.

(WebCore::resourceSet): Add global static HashSet<SVGResource*>.
(WebCore::SVGResource::SVGResource): Add us to the resourceSet.
(WebCore::SVGResource::~SVGResource): Remove us from resourceSet.
(WebCore::SVGResource::removeClient): Traverse all SVGResource clients and remove the passed SVGStyledElement from the client list (invoked by SVGStyledElement destructor).
(WebCore::SVGResource::addClient): Remove the offending part of the old approach, making the wrong assumption regarding resource types.

svg/graphics/SVGResourceMarker.cpp:
(WebCore::SVGResourceMarker::SVGResourceMarker):
(WebCore::SVGResourceMarker::markerTransformation): Create TransformationMatrix in the local marker content (RenderSVGViewportContainer) coordinate system, to position a marker.
(WebCore::SVGResourceMarker::draw): Simplify marker drawing a lot: used the passing TransformationMatrix (cached in SVGMarkerLayoutInfo) to draw the marker content renderer.
(WebCore::SVGResourceMarker::externalRepresentation): Adopt to refX/refY -> referencePoint changes.

This implements the SVG Filter effect feImage with support of fragment urls.
It also includes a bug fix for feComposite. feComposite didn't cover values
bigger than 255 correctly on composite oeprator arithmetic.

Tests: There are already many feImage tests in trunk. They just needed updated

pixel test results.
The feComposite bug is covered by svg/W3C-SVG-1.1/filters-composite-02-b.svg
and depends on feImage.

Currently every string holds a pointer so that during destruction,
if a string has been used as an identifier, it can remove itself
from the table. By instead accessing the identifierTable via a
thread specific tracking the table associated with the current
globaldata, we can save the memory cost of this pointer.

Add a repaint test to make sure that when mutations happen in a grandchild of a block element that has no in-flow children
the entire block element is not unnecessarily repainted.
The bug only shows up when running pixel tests.

Marks a RenderBlock without block children for layout and painting when it has no line boxes only if it has inline immediate children.
The existing logic uses the existence of line boxes as a dirty flag to indicate that line boxes need to be regenerated. This heuristic
fails when the RenderBlock does not have any in-flow children at all, causing the RenderBlock to get unnecessarily marked for layout and
painting. This is particularly bad for common scrollbar manipulation tricks like putting one positioned div inside another - this
structure caused the entire outer div's bounds to get scheduled for a paint whenever there was any mutation of any descendant.

The timing calculation was just off. It was starting the
second animation at 600ms and then checking to be half-way
done with the 1 second animation at 1000ms. Instead, just
modify the animation to run a bit earlier.

Make IWebView::close and destroying a WebView's HWND optional for WebKit clients

WebView will now take care of these operations itself when its last
reference is released, if they haven't already been done.

IWebView::close now also destroys the WebView's HWND. All WebKit
clients were already performing these operations in succession anyway,
or were attempting to by calling IWebView::close then destroying the
WebView's host window (which actually resulted in the WebView's HWND
leaking, and the crash in the below bug).

(WebView::~WebView): Don't try to destroy m_viewWindow here. That
should already have happened. Assert that this is the case.
(WebView::close): If m_viewWindow isn't already being destroyed,
destroy it now. Moved the call to revokeDragDrop() here from our
WM_DESTROY handler because it needs to be done before m_viewWindow is
nulled out.
(WebView::WebViewWndProc): Removed call to revokeDragDrop() that
close() now performs.
(WebView::Release): If our last reference is being released, call
close() so that clients don't have to. (It's harmless to call close()
multiple times.) We do this here instead of in the destructor because
close() can cause AddRef() and Release() to be called, and calling
those from within the destructor leads to double-destruction.
(WebView::setHostWindow): Removed an unnecessary (and now harmful)
null-check.
(WebView::revokeDragDrop): Changed an assertion into a run-time check,
since this will now sometimes be called when m_viewWindow hasn't been
created yet. Changed the IsWindow call to a null-check because we
never hold onto a destroyed m_viewWindow.
(WebView::windowAncestryDidChange): If we don't have a view window,
stop tracking changes to our parent's active state.

(WebKitAPITest::NoInitWithFrame):
(WebKitAPITest::CloseThenDestroyViewWindow):
(WebKitAPITest::DestroyViewWindowThenClose):
(WebKitAPITest::DestroyHostWindow):
(WebKitAPITest::DestroyHostWindowThenClose):
(WebKitAPITest::CloseThenDestroyHostWindow):
Added these tests that exercise tearing down a WebView in various
ways, all of which we eventually want to have work. Some of them
currently crash or leak.

[Qt] fix DRT link failures on --no-svg builds when only making changes to DRT

If you're working from a --minimal or --no-svg build and make changes to the
DRT, then recompile, the build will fail.

This is because the current behavior at build time is to assume that the
previous Qt build supported SVG and consequently delete libQtWebKit.so.
Unfortunately, just deleting libQtWebKit.so will not cause the library to
re-link. Instead the build will see libQtWebKit.so.4 and co., pass over the
linking phase, and attempt to link the DRT with libQtWebKit.so absent. This
results in a link failure on the DRT.

Since re-linking libQtWebKit can take up to ten minutes and should be avoided
in cases where not actually required, remove the assumption that
the previous Qt build supported SVG, and amend the symbol detection to look for
a symbol name that is not present in SVG builds. Currently webkitdirs.pm looks
for 'SVGElement' but even non-SVG builds contain the symbol 'isSVGElement'.

Add context menus to handle the interaction with breakpoints in the Source Frame. Currently
we use left click to add/disable/remove breakpoints, and left click to edit (for conditional
breakpoints), but this is hard to discover and behaves differently than Xcode.

Change the behavior to be more like Xcode, left click adds a breakpoint if there isn't one, and
removes it if there is one.

On the context menu, if there is no breakpoint there, we have Add Breakpoint, and Add Conditional
Breakpoint. If there is a breakpoint there, we add entries for Edit Breakpoint (edit
the condition), Remove Breakpoint, and Enable/Disable Breakpoint (based on the current state).

Follow Windows implementation of leapForward. When leapForward is called,
messages are queued and posted after the timeout. A new event loop is created to
handle those messages and the additional messages that are created as a result.

No new tests. Fix 3 layout tests when run manually.
fast/events/drag-and-drop.html
fast/events/drag-and-drop-dataTransfer-types-nocrash.html
fast/events/drag-and-drop-fire-drag-dragover.html
Running these tests in DRT will be fixed in 31332.

page/qt/DragControllerQt.cpp:
(WebCore::DragController::cleanupAfterSystemDrag):
Cleanup the drag operation if it failed to complete,
Otherwise, new drag operations will not be possible.

No new tests. Fix 3 layout tests when run manually.
fast/events/drag-and-drop.html
fast/events/drag-and-drop-dataTransfer-types-nocrash.html
fast/events/drag-and-drop-fire-drag-dragover.html
Running these tests in DRT will be fixed in 31332.

Api/qwebpage.cpp:
(dropActionToDragOp):
(dragOpToDropAction):
(QWebPagePrivate::dragEnterEvent):
(QWebPagePrivate::dragMoveEvent):
(QWebPagePrivate::dropEvent):
Accept drag events even if they are not over a drop target.
This is to ensure that drag events will continue to be delivered.

In these cases, the whole queue dies because we're in the global
exception handler. Instead of dieing here, we should just print a less
informative message to the console. We're already printing the whole
backtrace anyway, so there's not much point to stringifying the
exception anyway.

This change separate DOMWrapperWorld and IsolatedWorld from
V8IsolatedWorld. I've also renamed V8IsolatedWorld to
V8IsolatedContext in preparation for having more than one context in a
single isolated world.

This patch moves us closer to two goals:
1) Matching the structure of the JSC implementation of isolated worlds.
2) Letting scripts running in isolated contexts see into other iframes

This patch moves createWindow from V8-specific code into the generic
bindings so that is can be re-used by the JavaScriptCore bindings. I
haven't actually moved the JSC bindings over to using this yet.

Also, I organized the generic bindings a bit more as it's becoming
clearer how things are going to shape up. There are still some
question marks, but hopefully the answers will become clear as we
progress.

For an object with an aria role of "checkbox" or "radiobutton",
use the "aria-checked" attribute to determine if it's checked.
These changes add an isChecked() method to AccessibilityUIElement
so that we can check for this property from a layout test.

(WebKitAPITest::createAndInitializeWebView): Renamed from
createWebView. Now initializes the HostWindow and returns the
WebView's HWND via an out-parameter.
(WebKitAPITest::finishWebViewDestructionTest): Added. Code came from
the CloseWithoutDestroyWindow test.
(WebKitAPITest::CloseWithoutDestroyViewWindow): Renamed from
CloseWithoutDestroyWindow and changed to use the new functions.
(WebKitAPITest::MainFrameAfterClose): Changed to use the new
functions.
(WebKitAPITest::NoCloseOrDestroyViewWindow): Renamed from
NoCloseOrDestroyWindow and changed to use the new functions.